Numbers AES-GCM Efficiency, 154 0-RITT Data, 245 Internals, 152–153 2G Mobile Communications, 89 Security, 154 3DES (Triple DES), 59, 72–74

Home , CryptGenRandom, Exponential factorial, Fortuna (PRNG), GMR (cryptography), JH (hash function), Kupyna

Index

Numbers AES-GCM efficiency, 154 0-RITT data, 245 internals, 152–153 2G mobile communications, 89 security, 154 3DES (triple DES), 59, 72–74. See also and small tags, 161 DES (Data Encryption and weak hash keys, 159–161 Standard) AES native instructions (AES-NI), 3G mobile communications, 91, 128 63–64 4G mobile communications, 78, 91, AEZ, 161–162 128, 129 AKA (authenticated key agreement), 205–207 A algebraic attacks, 85 Alvisi, Lorenzo, 125 A5/1, 18, 88–91 amplitude, 252–253 Aaronson, Scott, 171, 178, 259, 269 Apple, 218, 231 Advanced Encryption Standard (AES), application-specific integrated circuit 53, 59 (ASIC), 79 AddRoundKey, 60 associated data, 149 block size, 54 asymmetric encryption, 1, 15. vs. DES, 59, 80 See also RSA and GCM, 152–154, 159, 161 (Rivest–Shamir–Adleman) implementations, 62–64 attack costs, 43–44 internals, 59–62 attack models, 10 KeyExpansion, 60 black-box, 11–12 MixColumns, 60 for key agreement protocols, 207 with Poly1305, 138 gray-box, 12 and provable security, 48 authenticated ciphers, 148 security of, 65 with associated data, 149 ShiftRows, 60 functional criteria, 151–152 SubBytes, 60 nonces, 149–150 and TLS 1.3, 243–244 online, 151 Advanced Vector Extensions (AVX), 55 performance, 150–151 AE. See authenticated encryption (AE) permutation-based, 157–158 AEAD (authenticated encryption with security, 150 associated data), 16, 149, streamability, 151 157–158 authenticated decryption, 148 AES. See Advanced Encryption authenticated Diffie–Hellman, 210–213 Standard (AES) authenticated encryption (AE), 16, 145 AES-CBC, 69 AES-GCM, 152–154, 159–161 AESENC instruction, 64 autheticated ciphers, 148–152 AESENCLAST instruction, 64 OCB, 155–156 authenticated encryption (AE), padding oracle attacks, 74–75 continued rounds, 56 permutation-based AEAD, 157–158 round keys, 56–57 SIV, 156–157 security goals, 54 using MACs, 146 –148 slide attacks, 56–57 authenticated encryption with substitution–permutation networks, associated data (AEAD), 16, 57–58 149, 157–158 Bluetooth, 78 authenticated key agreement Boneh, Dan, 199 (AKA), 205–207 Bos, Joppe W., 233 authentication tag, 16. See also broadcast attack model, 95 authenticated encryption Brumley, David, 199 (AE); MACs (message brute-force attacks, 41, 90 authentication codes) AVX (Advanced Vector Extensions), 55 C CA (certificate authority), 238–240, B 247–248 backtracking resistance, 26 cache-timing attacks, 63 backward secrecy, 26 Caesar cipher, 2–3 BcryptGenRandom() function, 33–34 CAESAR competition, 161 Bellare, Mihir, 143 Canetti, Ran, 143 Bellaso, Giovan Battista, 3 carry-less multiplication (CLMUL), 153 Bellcore attack, 196–197 CBC. See cipher block chaining (CBC) Bernstein, Daniel J., 52, 95, 100, 136, CBC-MAC, 134 139, 230, 231, 261 CCA (chosen-ciphertext attackers), 11 big-number libraries, 192 CCM (counter with CBC-MAC), binary exponentiation, 192 162, 243 birthday attacks, 109 CDH (computational birthday paradox, 109 Diffie–Hellman), 204 Bitcoin, 106 certificate authority (CA), 238–240, bit security, 42–43 247–248 BLAKE, 120 certificate chain, 239, 247 BLAKE2, 215, 226 ChaCha20, 95, 120, 138, 243–244 BLAKE2b, 123 chaining values, 112 BLAKE2s, 123 Chinese remainder theorem (CRT), compression function, 124 195–196 design rationale, 123 chosen-ciphertext attackers (CCA), 11 blinding attacks, 189 chosen-message attacks, 129 block ciphers, 53. See also Advanced chosen-plaintext attackers (CPA), 11 Encryption Standard (AES) Chrome browser, 118, 231 block size, 54–55 Chuang, Isaac, 269 CBC mode, 67–70 ciphers, 1 codebook attacks, 55 cipher-based MAC (CMAC), 134–135 CTR mode, 71–72 cipher block chaining (CBC), 67–69. decryption algorithm, 54 ciphertext stealing, 70 ECB mode, 65–67 padding, 69–70 encryption algorithm, 54 padding oracle attacks, 74 Feistel schemes, 58–59 ciphertext, 2 key schedule, 56 ciphertext-only attackers (COA), 11 meet-in-the-middle attacks, 72–74 ciphertext stealing, 70 modes of operation, 65 C language, 63

272 Index Clay Mathematics Institute, 46, 171 CRT (Chinese remainder theorem), client certificate, 246 195–196 clique problem, 169 CryptAcquireContext() function, 34 CLMUL (carry-less multiplication), 153 CryptGenRandom() function, 33–34 closest vector problem (CVP), 264–265 Crypto++, 199 CMAC (cipher-based MAC), 134–135 Cryptocat, 37 CMAC-AES, 157 cryptographic security, 39. See also ciphertext-only attackers (COA), 11 security code-based cryptography, 263–264 CTR (counter mode), 71–72, 91, 152 codebook attacks, 55, 90–91 cube attacks, 85 Codenomicon, 248 Curve448, 244 coding problems, 179 Curve25519, 230–231, 244 Cohen, Henri, 233 Curve41417, 231 Cold War, 53 CVP (closest vector problem), 264–265 collision resistance, 109, 113 cyclic redundancy checks (CRCs), 106 complexity. See computational complexity D complexity class, 168 complex numbers, 253 Dahlin, Mike, 125 compression functions, 111 Damgård, Ivan, 111, 126 in BLAKE2, 124 Data Encryption Standard. See DES Davies–Meyer construction, 114 (Data Encryption Standard) in Merkle–Damgård construction, Datagram Transport Layer Security 112–113 (DTLS), 237 in SHA-1, 117 Davies–Meyer construction, 114, computational complexity, 164 117, 124 bounds, 167 decisional Diffie–Hellman (DDH) classes, 168 assumption, 205 comparison, 166 problem, 204–205 constant factors, 165 decryption, 2 constant time, 166 dedicated hardware, 79 exponential, 165, 167 DeMillo, Richard A., 199 exponential factorial, 167 DES (Data Encryption Standard), 53, 80 linear, 165 3DES, 59, 72–74 linearithmic, 165 vs. AES, 59, 80 polynomial, 166–168 block size, 54 quadratic, 165 double DES, 73 superpolynomial, 166–168 Feistel schemes in, 58–59 computational complexity theory, 163 deterministic random bit generator computational Diffie–Hellman (DRBG), 14, 25, 78 (CDH), 204 /dev/random, 32–33 computational hardness, 164 /dev/urandom, 30–32 computational security, 40–41 Diehard, 29 confidentiality, 1, 106 differential cryptanalysis, 98–99 confusion, 57 Diffie, Whitfield, 201 constant-time implementations, 142 Diffie–Hellman problem, 178 Coppersmith, Don, 199 Diffie–Hellman (DH) protocol, 201 counter mode (CTR), 71–72, 91, 152 anonymous, 209–210 counter with CBC-MAC (CCM), authenticated, 210–213 162, 243 CDH problem, 204 CPA (chosen-plaintext attackers), 11 DDH problem, 204–205 CRCs (cyclic redundancy checks), 106 function, 202

Index 273 Diffie–Hellman (DH) protocol, with integers, 219–220 continued NIST curves, 230 generating parameters, 202–203 order, 224 and key agreement, 205–208, point at infinity, 222, 224 225–229 point doubling, 222–223 MQV protocol, 213–214 point multiplying, 223 and shared secrets, 202, 214–215 prime curves, 230 in TLS, 215, 242–243 Weierstrass form, 218 twin problem, 205 elliptic-curve cryptography (ECC), 217 unsafe group parameters, 215–216 elliptic-curve Diffie-Hellman(ECDH), diffusion, 57 226, 232–233 digest, 106 elliptic curve digital signature DigiNotar, 248 algorithm (ECDSA), 226 digital signatures, 106, 182, 188–189 and bad randomness, 232 discrete logarithm problem (DLP), vs. RSA signatures, 227–228 174 –176 signature generation, 226 and CDH problem, 204 signature verification, 226–227 ECDLP, 224–225 elliptic curve discrete logarithm and Shor’s algorithm, 259, 260 problem (ECDLP), 224–225 distribution. See probability elliptic curve integrated encryption distribution scheme (ECIES), 229 drand48, 28 embarassingly parallel, 43, 90 DRBG (deterministic random bit Encapsulating Security Payload generator), 14, 25, 78 (ESP), 241 DTLS (Datagram Transport Layer encrypt-and-MAC, 146 –147 Security), 237 encryption, 1 Durumeric, Zakir, 36 asymmetric, 15 at-rest, 15 in-transit, 15 E randomized, 13 ECB (electronic codebook), 65–67 security, 9 ECC (elliptic-curve cryptography), 217 encrypt-then-MAC, 147–148, 152 ECDH (elliptic-curve Diffie-Hellman), entanglement, 252, 255 226, 232–233 entropy, 23–24, 35–36 ECDSA. See elliptic curve digital entropy pool, 25 signature algorithm EPR (Einstein–Podolsky–Rosen) (ECDSA) paradox, 252 ECDLP (elliptic curve discrete error-correcting codes, 263 logarithm problem), ESP (Encapsulating Security 224–225 Payload), 241 ECIES (elliptic curve integrated eSTREAM competition, 86, 103 encryption scheme), 229 eth roots, 185 Ed448-Goldilocks, 231 Euler’s theorem, 198 Einstein–Podolsky–Rosen (EPR) Euler’s totient function, 183 paradox, 252 exponentiation, 192, 194 elliptic curves, 217–218, 244 extended Euclidean algorithm, 184 addition law, 221 Curve448, 244 Curve25519, 230–231 F Curve41417, 231 factorials, 6 Edwards curves, 219 factoring methods, 172 groups, 224

274 Index factoring problem, 46, 171 general number field sieve (GNFS), and NP-completeness, 173–174 173, 204 solving with Shor’s algorithm, getrandom() system call, 33 259–260 GHASH, 152–154, 159–160 factorization, 172–173, 176 –177 Gilbert, E.N., 136 fast correlation attacks, 85 Git, 105 fault injection, 196–197 GitHub, 51 FDH (Full Domain Hash), 190–191 Gmail, 248 feedback shift registers (FSRs), 80–82 GMR-1, 103 cycle, 82 GMR-2, 103 feedback function, 80 GNFS (general number field sieve), linear, 83–85 173, 204 nonlinear, 86 GNU Multiple Precision (GMP), 192 period, 82 GnuPG, 52 Feistel schemes, 58–59 Go, 140, 191, 193 Ferguson, Niels, 26, 161 Goldberg, Ian, 35 FHE (fully homomorphic Goldwasser, Shafi, 19 encryption), 17 Google, 118, 248 field-programmable gate array Chrome, 231 (FPGA), 79 Internet Authority, 239 filtered LFSR, 85 GOST, 53, 59 first-preimage resistance, 108 Govaerts, René, 126 fixed points, 114 Government Communications Flame, 126 Headquarters (GCHQ), 202 forgery attacks, 128 Grain-128a, 86–88 format-preserving encryption (FPE), graphics processing unit (GPU), 91 16 –17 greatest common divisor (GCD), 36, Fortuna, 26–27 184, 195, 260 forward secrecy, 26, 208 Grøstl, 120 in authenticated DH, 211 groups, 174 in TLS 1.3, 246–247 axioms, 175 Fouque, Pierre-Alain, 143 commutativity, 175 FOX, 58 cyclic, 175 FPGA (field-programmable gate finite, 175 array), 79 generator, 175 frequency analysis, 4 in RSA, 182–183 Frey, Gerhard, 233 Grover’s algorithm, 260 FSRs. See feedback shift registers (FSRs) GSM mobile communication, 78 full diffusion, 99 guess-and-determine attacks, 89–90 Full Domain Hash (FDH), 190–191 fully homomorphic encryption (FHE), 17 H Hadamard gate, 256–257 Halderman, Alex, 36, 233 G hardness assumption, 174 GCD (greatest common divisor), 36, hard problems, 163. See also 184, 195, 260 computational complexity GCHQ (Government Communications closest vector problem, 264 Headquarters), 202 discrete logarithm problem, GCM (Galois Counter Mode), 146, 152, 174 –176 161. See also AES-GCM factoring problem, 171–174 gcm_ghash_clmul function, 153 learning with errors, 264

Index 275 hard problems, continued IKE (Internet Key Exchange), 134 multivariate quadratic imaginary number, 253 equations, 265 IND-CPA, 13–14 NP-complete problem, 169–170 indifferentiability, 126 and provable security, 46–47 indistinguishability (IND), 12–13, 129 P vs. NP problem, 170 –171 informational security, 40 short integer solution, 264 initial value (IV), 67–69, 112, 135 hardware, 63, 102 integrated encryption scheme hash-based cryptography, 266–267 (IES), 229 hash-based MACs, 132–133 integrity, of data, 16, 106, 128 hash functions, 105. See also Intel, 30 Merkle–Damgård (M–D) Internet Engineering Task Force construction (IETF), 152 3-collisions, 113 Internet Key Exchange (IKE), 134 collisions in, 109–111 internet of things (IoT), 235 compression functions, 112 intractable problems. See hard Davies–Meyers construction, 114 problems in digital signatures, 106 invalid curve attack, 232 iterative, 111 invasive attacks, 12 keyed, 127 ion traps, 262 multicollisions, 113 ipad, 132 noncryptographic, 106 IPSec (Internet Protocol Security), 128, preimage resistance, 107–109 132, 134, 148, 152 in proof-of-storage protocols, iterative hashing, 111 125–126 IV (initial value), 67–69, 112, 135 and P vs. NP problem, 171 security notions, 106 J sponge functions, 115–116 universal, 136–137 Jager, Tibor, 233 unpredictability, 107 Java, 19 hash values, 106 JH, 120 Heartbleed, 248–249 Jovanovic, Philipp, 158 Hellman, Martin, 201 Heninger, Nadia, 36, 233 K heuristic security, 48–49 HMAC-based KDF (HKDF), 215, 244 KDF. See key derivation function (KDF) HMACs (hash-based MACs), 132–133 Keccak 121–123. See also SHA-3 host-based intrusion detection system Kelsey, John, 26, 38, 45 (HIDS), 105 Kerckhoffs, Auguste, 4, 10 HTTPS, 237 Kerckhoffs’s principle, 10–11 insecure, 154, 178 key agreement protocols, 49, 202, 205 keys for, 49, 52 AKA, 205–207 over TLS, 94, 215, 236 attack models, 207 breaches, 207, 211, 214 data leaks, 207, 212 I eavesdroppers, 207, 211 iCloud, 248 forward secrecy, 208 identity gate, 256 performance, 208 IES (integrated encryption security goals, 207–208 scheme), 229 key confirmation, 212, 214 IETF (Internet Engineering Task key control, 208 Force), 152

276 Index key derivation function (KDF), 49 M in DH functions, 202, 215 MACs (message authentication in ECIES, 229 codes), 127 in TLS 1.3, 243–244 authentication tag, 128 key generation, 49–50 CBC-MAC, 134–135 key-generation algorithm, 50 chosen-message attacks, 129 key scheduling algorithms (KSAs), CMAC, 134 11, 92 dedicated designs, 136 key wrapping, 50 encrypt-and-MAC, 146 –147 knapsack problem, 169 encrypt-then-MAC, 147–148, 152 known-message attack, 128 forgery attacks, 128 known-plaintext attackers (KPA), 11 HMAC, 132–133 known-plaintext attacks (KPAs), 89 MAC-then-encrypt, 147 Knudsen, Lars, 47 vs. PRFs, 130 Kohno, Tadayoshi, 26 replay attacks, 129 Kotla, Ramakrishna, 125 timing attacks, 140–142 Kozierok, Charles, 237 Wegman–Carter, 137–138 Krawczyk, Hugo, 143, 216 MacBook, 194 Krovetz, Ted, 156 MAC-then-encrypt, 147 KSAs (key scheduling algorithms), MacWilliams, F.J., 136 11, 92 malleability, 186 Kupyna, 116 man-in-the-middle attacks, 206, 209–210, 236 L mask generating function, 188 lattice-based cryptography, 264–265 matrix multiplication, 256 lattice problems, 179 McEliece cryptosystem, 263 learning with errors (LWE), 264, 267 MD5, 116, 126 least significant bit (LSB), 165, 193 M–D construction. See Merkle– length-extension attacks, 125, 131 Damgård (M–D) Let’s Encrypt, 249 construction Leurent, Gaëtan, 143 measurement (quantum physics), linear code, 263 252, 255 linear combination, 28 MediaWiki, 36 linear feedback shift registers meet-in-the-middle (MitM) attacks, (LFSRs), 83 72–74 in A5/1, 88–89 memory, 44 filtered, 85 memory footprint, 55 in Grain-128a, 87–88 Menezes–Qu–Vanstone (MQV), polynomials, 83 213–214, 226 security, 84 Merkle, Ralph, 111, 126, 202 linear transformation, 265 Merkle–Damgård (M–D) Linux, 32, 66, 239 construction, 111 Lipton, Richard J., 199 length-extension attacks, 125, 131 logarithm, 23, 42 multicollisions, 113 long-term key, 211 padding, 112–113 lower bound, 41 security, 113 low-exponent attacks, 195 Merkle’s puzzles, 202 LSB (least significant bit), 165, 193 Mersenne Twister (MT) algorithm, Lucifer, 58 28, 36 LWE (learning with errors), 264, 267 message authentication codes. See MACs (message authentication codes)

Index 277 Micali, Silvio, 19 non-malleability (NM), 13 Microsoft, 65 nonrepudiation, 188 Microsoft Windows CryptoAPI, 194 non-uniform distribution, 23 misuse resistance, 150 NP (nondeterministic polynomial MitM (meet-in-the-middle) attacks, time) class, 168–169 72–74 NP-complete problem, 169–170 mode of operation, 4, 5, 65 NP-hard problem, 170 Moore, Jonathan, 233 NSA (National Security Agency), 59, most significant bit (MSB), 28, 135, 116, 213, 251 138, 215 NSS library, 199 MQ (multivariate quadratics), 265 number field sieve, 204 MQV (Menezes–Qu–Vanstone), 213–214, 226 O MT (Mersenne Twister) algorithm, 28, 36 OA EP. See Optimal Asymmetric mt_rand, 28 Encryption Padding multicollisions, 113 (OAEP) multivariate cryptography, 265–266 OCB (offset codebook) multivariate problems, 179 efficiency, 156 multivariate quadratics (MQ), 265 internals, 155–156 security, 156 one-time pad, 7 N encrypting with, 7–8 Naehrig, Michael, 233 security, 8–9, 13, 40 National Institute of Standards and one-way function, 107 Technology (NIST), 29, 53, opad, 132 59, 120–121 OpenSSH, 136, 217, 231 National Security Agency (NSA), 59, OpenSSL toolkit 116, 213, 251 generating DH parameters, 203 Netscape, 35, 237 generating keys, 30, 49, 177–178 network-based intrusion detection GHASH bug, 153 systems (NIDS), 105 Heartbleed, 248–249 Neves, Samuel, 123, 158 unsafe DH group parameters, NFSR (nonlinear feedback shift 215–216 register), 86 Optimal Asymmetric Encryption Nguyen, Phong Q., 143 Padding (OAEP), 52, 186 Nielsen, Michael, 269 encoded message, 187 NIST (National Institute of Standards mask generating function, 188 and Technology), 29, 53, 59, 120–121 P NM (non-malleability), 13 nonces, 71–72, 78–79 P (polynomial time) class, 166–168, predictability, 149–150 168–169 reuse, 101 padding, 19, 69–70, 112–113 in TLS records, 241 OAEP, 52, 186–188 WEP insecurity and, 93–94 zero padding, 241 nondeterministic polynomial time class. padding oracle attacks, 19, 74–75 See NP (nondeterministic parallelism, 43 polynomial time) class parallelizability, 151, 154, 156 nonlinear equation, 29 parent process ID (PPID), 35 nonlinear feedback shift register password, 49, 129 (NFSR), 86 Paterson, Kenny, 103

278 Index Peikert, Chris, 268 provable security, 46–48 perfect secrecy, 7 pseudorandom functions (PRFs), 127 period, 259 vs. MACs, 130 permutation, 4–5, 111 security, 129 permutation-based AEAD, 157–158 pseudorandom number generators pseudorandom, 54 (PRNGs), 24–26 security, 5, 7 cryptographic, 27–28 in sponge functions, 115–116 entropy and, 35–36 trapdoor, 181–182, 183 Fortuna, 26–27 PID (process ID), 35 generating on Unix, 30–32 pigeonhole principle, 109 generating on Windows, 33–34 PKCS (Public-Key Cryptography hardware-based, 34–35 Standards), 186 non-cryptographic, 27–28, 36–37 plaintext, 2 security, 26 PLD (programmable logic device), 79 pseudorandom permutation (PRP), 54, Poly1305, 136–138, 139 58, 138 Poly1305-AES, 138 PSPACE, 168 polynomials, 83 PSK (pre-shared key), 243, 245 multiplication, 153 PSS (Probabilistic Signature Scheme), primitive, 83–84 189–190, 191 polynomial time (P) class, 166–168, public-key cryptography, 15 168–169 Public-Key Cryptography Standards post-quantum cryptography, 252, 263 (PKCS), 186 code-based, 263–264 public-key distribution scheme, 201 hash-based, 266–267 public keys, 181 lattice-based, 264–265 P vs. NP, 170 –171 multivariate, 265–266 PyCrypto, 62 Post-Quantum Crypto Project, 269 Pythagorean theorem, 253 post-quantum security, 261 Python language, 62, 66, 71, 92, 198 power-analysis attacks, 193 PPID (parent process ID), 35 Q PQCrypto, 269 precomputation, 44, 208 Qualys, 249 prediction resistance, 26 quantum bit (qubit), 252 preimage resistance, 107–109 quantum byte, 255 Preneel, Bart, 126 quantum circuits, 255 pre-shared key (PSK), 243, 245 quantum computers, 174, 251 PRFs. See pseudorandom quantum gates, 255, 256 functions (PRFs) quantum mechanics, 252 prime numbers, 172 quantum random number generators prime number theorem, 172 (QRNGs), 25 private keys, 15, 181 quantum speed-up, 257 PRNGs. See pseudorandom number exponential, 258 generators (PRNGs) quadratic, 258 Probabilistic Signature Scheme (PSS), quarter-round function, 96 189–190, 191 qubit (quantum bit), 252 probability, 9, 22 probability distribution, 22–23 R process ID (PID), 35 programmable logic device (PLD), 79 rand, 28 proof-of-storage protocols, 125–126 randomness, 21 proof-of-work, 106 random number generators (RNGs), 24–25

Index 279 random oracle, 107 textbook signature, 188 Ray, Marsh, 65 trapdoor permutation, 183 RC4, 79, 92–93 RSAES-OAEP, 186 broken implementation, 101–102 RSA Security, 92 in TLS, 94–95 RTT (round-trip times), 245 in WEP, 93–94 RDRAND instruction, 34–35 S RDSEED instruction, 34 reduction, 46 Saarinen, Markku-Juhani O., 121, 166 replay attacks, 129, 206 safe prime, 203 Rho method, 110–111 SageMath, 176, 184 Rijndael, 59 Salsa20, 95 ring-LWE, 267 attacking, 99–100 Rivest, Ron, 92, 103 column-round function, 97 Rivest–Shamir–Adleman. See RSA double-round function, 97 (Rivest–Shamir–Adleman) internal state, 96 Rogaway, Phillip, 155, 156, 157 and nonlinear relations, 98–99 RNGs (random number generators), quarter-round function, 96 24–25 row-round function, 97 root of unity, 198 Salsa20/8, 99 rounds, 48 salt, 190 round trips, 208 sandwich MAC, 133 round-trip times (RTT), 245 satellite phone (satphone), 102 RSA (Rivest–Shamir–Adleman), S-boxes (substitution boxes), 57 181–182 scheduling problems, 170 Bellcore attack, 196–197 Schneier, Bruce, 26, 38, 121 CRT, 195–196 Schwenk, Jörg, 233 vs. ECDSA, 227–228 searchable encryption, 17 encryption, 185 search algorithm, 164 and factoring problem, 46–47, 177 second-preimage resistance, 108 FDH, 190–191 secret-prefix MAC, 130, 133 groups, 182–183 secret-suffix MAC, 131 implementations, 191–192 secure channel, 201, 236 key generation, 184–185 secure cookie, 246 modulus, 182 Secure Hash Algorithms (SHAs), 116 OEAP, 186–188 Secure Hash Algorithm with Keccak private exponents, 197–199 (SHAKE), 121 private keys, 50, 183, 184 Secure Shell (SSH), 51–52, 128, 132, problem, 204 147, 148, 152, 226, 240 PSS, 189–190, 191 Secure Socket Layer (SSL), 35, 235, 237 public exponents, 183 security public keys, 183 bit, 42–43 secret exponents, 183 computational, 40–41 security, 185 cryptographic, 39 shared moduli, 197 goals, 10, 12–13 signatures, 188–189 heuristic, 46, 48–49 small exponents, 194–195 informational, 40 speed, 194–196 levels, choosing, 44–45 square-and-multiply, 192–193 margin, 48–49 textbook encryption, 185–186 notions, 10, 13–15

280 Index post-quantum, 261 SPNs (substitution–permutation proof, 46 networks), 57–58, 60 provable, 46–48 sponge functions, 111, 115, 142 semantic, 13, 18 absorbing phase, 115 session key, 205 capacity, 116 SHA-0, 116–117 squeezing phase, 116 SHA-1, 116, 244 square-and-multiply, 192–193 attacks, 118–119 SSH (Secure Shell), 51–52, 128, 132, collision, 118 147, 148, 152, 226, 240 internals, 117–118 SSL (Secure Socket Layer), 35, 235, 237 SHA-2, 119, 120, 125 SSL Labs, 249 SHA-3, 115, 121–123, 215 statistical test, 29 competition, 120–121 Stevens, Marc, 118 security, 123 streamability, 151, 154, 156 Zoo, 126 stream ciphers, 77 SHA-224, 119–120 counter-based, 79 SHA-256, 119–120, 226 encryption and decryption, 78 compression function, 119 hardware-oriented, 79–80 security, 120 keystream, 78 SHA-384, 120 nonce resuse, 101 SHA-512, 120 software-oriented, 91 SHAs (Secure Hash Algorithms), 116 stateful, 79 SHAKE (Secure Hash Algorithm with Streebog, 116 Keccak), 121 substitutions, 4–5 Shannon, Claude, 8 substitution boxes (S-boxes), 57 Shor, Peter, 259 substitution–permutation networks Shor’s algorithm, 259–260 (SPNs), 57–58, 60 short integer solution (SIS), 264 superconducting circuits, 262 Shrimpton, Tom, 157 superposition, 252 side-channel attacks, 12, 140, 264, 269 symmetric encryption, 1, 15, 16 Signal, 268 synthetic IV (SIV), 156–157 signatures, 106, 182, 188–189 SIM card, 206 T Simon’s problem, 258 Simple Mail Transfer Protocol tags, 16. See also authenticated (SMTP), 237 encryption (AE); MACs SipHash, 139–140, 142 (message authentication SipRound function, 139–140 codes) SIS (short integer solution), 264 TE (tweakable encryption), 17 SIV (synthetic IV), 156–157 TEA, 126 Skein, 121 TestU01, 29 slide attacks, 56–57 time complexity, 168 sliding window method, 193 time-memory trade-off (TMTO) Sloane, N.J., 136 attacks, 18, 44, 90–91 SM3, 116 timing attacks, 141, 193, 199, 269 SMTP (Simple Mail Transfer TLS (Transport Layer Security), 78, 35, Protocol), 237 128, 130, 147, 235 SNOW3G, 91 ClientHello, 242, 244, 245 Somorovsky, Juraj, 233 and Diffie–Hellman, 215 space complexity, 168 downgrade protection, 244 SPHINCS, 267 handshake, 237, 238–240, 241–243

Index 281 TLS (Transport Layer Security), V continued Vandewalle, Joos, 126 history of, 237 van Oorschot, Paul C., 126 RC4 in, 92, 94–95 Vigenère, Blaise de, 3 record, 240 Vigenère cipher, 3–4 record payload, 240 virtual private network (VPN), 94 record protocol, 237, 240–241 security, 236, 246–247, 247–249 ServerHello, 242, 245 W session resumption, 245 Wagner, David, 35, 38, 56, 101 single round-trip handshake, 245 Wegman–Carter MAC, 137–138, 152 version 1.3 algorithms, 243–244 Weierstrauss form, 218 version 1.3 improvements, 244–245 WEP (Wireless Encryption Protocol), zero padding, 241 92, 93–94 TLS Working Group (TLSWG), 249 Wiener, Michael, 52, 126, 199 TMTO (time-memory trade-off) Wi-Fi, 77 attacks, 18, 44, 90–91 Wilcox-O’Hearn, Zooko, 123 TOFU (trust-on-first-use), 240 Windows, 30 traffic analysis, 241 Winnerlein, Christian, 123 Transport Layer Security. See TLS Winternitz one-time signature (Transport Layer Security) (WOTS), 266–267 trapdoors, 182 Wireless Encryption Protocol (WEP), trapdoor permutations, 181–182, 183 92, 93–94 traveling salesman problem, 169 WPA2, 162 triple DES (3DES), 59, 72–74 Wustrow, Eric, 36, 233 trusted third party, 238 trust-on-first-use (TOFU), 240 Turing Award, 202 X tweakable encryption (TE), 17 Xbox, 126 XOR swap, 101–102 U UDP (User Datagram Protocol), 237 Y unforgeability, 128 Yao, Andrew C., 216 uniform distribution, 23 Yarrow, 26 unitary matrix, 257 universal hash functions, 136–137 Unix, 30 Z unpredictability, 107 Zhao, Yunlei, 216 upper bound, 42 ZUC, 91

282 Index